Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(281)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/url_request/url_request_unittest.cc

Issue 2100303002: Add OCSPVerifyResult for tracking stapled OCSP responses cross-platform. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@ocsp-date-check
Patch Set: Always pass ocsp_response to verifier. Created 4 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/cert/ocsp_verify_result.h ('K') | « net/tools/testserver/testserver.py ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <memory> 5 #include <memory>
6 #include <utility> 6 #include <utility>
7 7
8 #include "base/memory/ptr_util.h" 8 #include "base/memory/ptr_util.h"
9 #include "base/run_loop.h" 9 #include "base/run_loop.h"
10 #include "build/build_config.h" 10 #include "build/build_config.h"
(...skipping 678 matching lines...) Expand 10 before | Expand all | Expand 10 after
689 GURL latest_report_uri_; 689 GURL latest_report_uri_;
690 std::string latest_report_; 690 std::string latest_report_;
691 }; 691 };
692 692
693 class TestExperimentalFeaturesNetworkDelegate : public TestNetworkDelegate { 693 class TestExperimentalFeaturesNetworkDelegate : public TestNetworkDelegate {
694 public: 694 public:
695 bool OnAreExperimentalCookieFeaturesEnabled() const override { return true; } 695 bool OnAreExperimentalCookieFeaturesEnabled() const override { return true; }
696 bool OnAreStrictSecureCookiesEnabled() const override { return true; } 696 bool OnAreStrictSecureCookiesEnabled() const override { return true; }
697 }; 697 };
698 698
699 // OCSPErrorTestDelegate caches the SSLInfo passed to OnSSLCertificateError.
700 // This is needed because after the certificate failure, the URLRequest will
701 // retry the connection, and return a partial SSLInfo with a cached cert status.
702 // The partial SSLInfo does not have the OCSP information filled out.
703 class OCSPErrorTestDelegate : public TestDelegate {
704 public:
705 void OnSSLCertificateError(URLRequest* request,
706 const SSLInfo& ssl_info,
707 bool fatal) override {
708 ssl_info_ = ssl_info;
709 on_ssl_certificate_error_called_ = true;
710 TestDelegate::OnSSLCertificateError(request, ssl_info, fatal);
711 }
712
713 bool on_ssl_certificate_error_called() {
714 return on_ssl_certificate_error_called_;
715 }
716
717 SSLInfo ssl_info() { return ssl_info_; }
718
719 private:
720 bool on_ssl_certificate_error_called_ = false;
721 SSLInfo ssl_info_;
722 };
723
699 } // namespace 724 } // namespace
700 725
701 // Inherit PlatformTest since we require the autorelease pool on Mac OS X. 726 // Inherit PlatformTest since we require the autorelease pool on Mac OS X.
702 class URLRequestTest : public PlatformTest { 727 class URLRequestTest : public PlatformTest {
703 public: 728 public:
704 URLRequestTest() : default_context_(true) { 729 URLRequestTest() : default_context_(true) {
705 default_context_.set_network_delegate(&default_network_delegate_); 730 default_context_.set_network_delegate(&default_network_delegate_);
706 default_context_.set_net_log(&net_log_); 731 default_context_.set_net_log(&net_log_);
707 job_factory_impl_ = new URLRequestJobFactoryImpl(); 732 job_factory_impl_ = new URLRequestJobFactoryImpl();
708 job_factory_.reset(job_factory_impl_); 733 job_factory_.reset(job_factory_impl_);
(...skipping 8246 matching lines...) Expand 10 before | Expand all | Expand 10 after
8955 CHECK_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); 8980 CHECK_NE(static_cast<X509Certificate*>(NULL), root_cert.get());
8956 test_root_.reset(new ScopedTestRoot(root_cert.get())); 8981 test_root_.reset(new ScopedTestRoot(root_cert.get()));
8957 8982
8958 #if defined(USE_NSS_CERTS) 8983 #if defined(USE_NSS_CERTS)
8959 SetURLRequestContextForNSSHttpIO(&context_); 8984 SetURLRequestContextForNSSHttpIO(&context_);
8960 EnsureNSSHttpIOInit(); 8985 EnsureNSSHttpIOInit();
8961 #endif 8986 #endif
8962 } 8987 }
8963 8988
8964 void DoConnection(const SpawnedTestServer::SSLOptions& ssl_options, 8989 void DoConnection(const SpawnedTestServer::SSLOptions& ssl_options,
8965 CertStatus* out_cert_status) { 8990 TestDelegate* delegate,
8966 // We always overwrite out_cert_status. 8991 SSLInfo* out_ssl_info) {
8967 *out_cert_status = 0; 8992 // Always overwrite |out_ssl_info|.
8993 out_ssl_info->Reset();
8994
8968 SpawnedTestServer test_server( 8995 SpawnedTestServer test_server(
8969 SpawnedTestServer::TYPE_HTTPS, 8996 SpawnedTestServer::TYPE_HTTPS,
8970 ssl_options, 8997 ssl_options,
8971 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); 8998 base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
8972 ASSERT_TRUE(test_server.Start()); 8999 ASSERT_TRUE(test_server.Start());
8973 9000
8974 TestDelegate d; 9001 delegate->set_allow_certificate_errors(true);
8975 d.set_allow_certificate_errors(true); 9002 std::unique_ptr<URLRequest> r(context_.CreateRequest(
8976 std::unique_ptr<URLRequest> r( 9003 test_server.GetURL("/"), DEFAULT_PRIORITY, delegate));
8977 context_.CreateRequest(test_server.GetURL("/"), DEFAULT_PRIORITY, &d));
8978 r->Start(); 9004 r->Start();
8979 9005
8980 base::RunLoop().Run(); 9006 base::RunLoop().Run();
9007 EXPECT_EQ(1, delegate->response_started_count());
8981 9008
8982 EXPECT_EQ(1, d.response_started_count()); 9009 *out_ssl_info = r->ssl_info();
8983 *out_cert_status = r->ssl_info().cert_status; 9010 }
9011
9012 void DoConnection(const SpawnedTestServer::SSLOptions& ssl_options,
estark 2016/07/14 21:14:58 nit: I think overloads are generally discouraged-i
dadrian 2016/07/15 01:00:50 Done.
9013 CertStatus* out_cert_status) {
9014 // Always overwrite |out_cert_status|.
9015 *out_cert_status = 0;
9016
9017 TestDelegate d;
9018 SSLInfo ssl_info;
9019 ASSERT_NO_FATAL_FAILURE(DoConnection(ssl_options, &d, &ssl_info));
9020
9021 *out_cert_status = ssl_info.cert_status;
8984 } 9022 }
8985 9023
8986 ~HTTPSOCSPTest() override { 9024 ~HTTPSOCSPTest() override {
8987 #if defined(USE_NSS_CERTS) 9025 #if defined(USE_NSS_CERTS)
8988 ShutdownNSSHttpIO(); 9026 ShutdownNSSHttpIO();
8989 #endif 9027 #endif
8990 } 9028 }
8991 9029
8992 protected: 9030 protected:
8993 class AllowAnyCertCTPolicyEnforcer : public CTPolicyEnforcer { 9031 class AllowAnyCertCTPolicyEnforcer : public CTPolicyEnforcer {
(...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after
9128 } 9166 }
9129 9167
9130 TEST_F(HTTPSOCSPTest, Invalid) { 9168 TEST_F(HTTPSOCSPTest, Invalid) {
9131 if (!SystemSupportsOCSP()) { 9169 if (!SystemSupportsOCSP()) {
9132 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; 9170 LOG(WARNING) << "Skipping test because system doesn't support OCSP";
9133 return; 9171 return;
9134 } 9172 }
9135 9173
9136 SpawnedTestServer::SSLOptions ssl_options( 9174 SpawnedTestServer::SSLOptions ssl_options(
9137 SpawnedTestServer::SSLOptions::CERT_AUTO); 9175 SpawnedTestServer::SSLOptions::CERT_AUTO);
9138 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; 9176 ssl_options.ocsp_status =
9177 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE;
9139 9178
9140 CertStatus cert_status; 9179 CertStatus cert_status;
9141 DoConnection(ssl_options, &cert_status); 9180 DoConnection(ssl_options, &cert_status);
9142 9181
9143 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), 9182 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(),
9144 cert_status & CERT_STATUS_ALL_ERRORS); 9183 cert_status & CERT_STATUS_ALL_ERRORS);
9145 9184
9146 // Without a positive OCSP response, we shouldn't show the EV status. 9185 // Without a positive OCSP response, we shouldn't show the EV status.
9147 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); 9186 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
9148 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); 9187 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after
9192 ssl_options.ocsp_server_unavailable = true; 9231 ssl_options.ocsp_server_unavailable = true;
9193 9232
9194 CertStatus cert_status; 9233 CertStatus cert_status;
9195 DoConnection(ssl_options, &cert_status); 9234 DoConnection(ssl_options, &cert_status);
9196 9235
9197 EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS); 9236 EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS);
9198 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); 9237 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
9199 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); 9238 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
9200 } 9239 }
9201 9240
9241 static const struct OCSPVerifyTestData {
9242 std::vector<SpawnedTestServer::SSLOptions::SingleResponse> ocsp_responses;
9243 SpawnedTestServer::SSLOptions::OCSPProduced ocsp_produced;
9244 OCSPVerifyResult::ResponseStatus response_status;
9245 bool has_cert_status;
9246 OCSPRevocationStatus cert_status;
9247 } kOCSPVerifyData[] = {
9248
9249 {{{SpawnedTestServer::SSLOptions::OCSP_OK,
9250 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}},
9251 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9252 OCSPVerifyResult::PROVIDED,
9253 true,
9254 OCSPRevocationStatus::GOOD},
9255
9256 {{{SpawnedTestServer::SSLOptions::OCSP_OK,
9257 SpawnedTestServer::SSLOptions::OCSP_DATE_OLD}},
9258 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9259 OCSPVerifyResult::INVALID_DATE,
9260 false,
9261 OCSPRevocationStatus::UNKNOWN},
9262
9263 {{{SpawnedTestServer::SSLOptions::OCSP_OK,
9264 SpawnedTestServer::SSLOptions::OCSP_DATE_EARLY}},
9265 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9266 OCSPVerifyResult::INVALID_DATE,
9267 false,
9268 OCSPRevocationStatus::UNKNOWN},
9269
9270 {{{SpawnedTestServer::SSLOptions::OCSP_OK,
9271 SpawnedTestServer::SSLOptions::OCSP_DATE_LONG}},
9272 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9273 OCSPVerifyResult::INVALID_DATE,
9274 false,
9275 OCSPRevocationStatus::UNKNOWN},
9276
9277 {{{SpawnedTestServer::SSLOptions::OCSP_OK,
9278 SpawnedTestServer::SSLOptions::OCSP_DATE_LONG}},
9279 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9280 OCSPVerifyResult::INVALID_DATE,
9281 false,
9282 OCSPRevocationStatus::UNKNOWN},
9283
9284 {{{SpawnedTestServer::SSLOptions::OCSP_TRY_LATER,
9285 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}},
9286 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9287 OCSPVerifyResult::BAD_RESPONSE,
9288 false,
9289 OCSPRevocationStatus::UNKNOWN},
9290
9291 {{{SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE,
9292 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}},
9293 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9294 OCSPVerifyResult::PARSE_RESPONSE,
9295 false,
9296 OCSPRevocationStatus::UNKNOWN},
9297
9298 {{{SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE_DATA,
9299 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}},
9300 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9301 OCSPVerifyResult::PARSE_RESPONSE_DATA,
9302 false,
9303 OCSPRevocationStatus::UNKNOWN},
9304
9305 {{{SpawnedTestServer::SSLOptions::OCSP_REVOKED,
9306 SpawnedTestServer::SSLOptions::OCSP_DATE_EARLY}},
9307 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9308 OCSPVerifyResult::INVALID_DATE,
9309 false,
9310 OCSPRevocationStatus::UNKNOWN},
9311
9312 {{{SpawnedTestServer::SSLOptions::OCSP_UNKNOWN,
9313 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}},
9314 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9315 OCSPVerifyResult::PROVIDED,
9316 true,
9317 OCSPRevocationStatus::UNKNOWN},
9318
9319 {{{SpawnedTestServer::SSLOptions::OCSP_UNKNOWN,
9320 SpawnedTestServer::SSLOptions::OCSP_DATE_OLD}},
9321 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9322 OCSPVerifyResult::INVALID_DATE,
9323 false,
9324 OCSPRevocationStatus::UNKNOWN},
9325
9326 {{{SpawnedTestServer::SSLOptions::OCSP_UNKNOWN,
9327 SpawnedTestServer::SSLOptions::OCSP_DATE_EARLY}},
9328 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9329 OCSPVerifyResult::INVALID_DATE,
9330 false,
9331 OCSPRevocationStatus::UNKNOWN},
9332
9333 {{{SpawnedTestServer::SSLOptions::OCSP_OK,
9334 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}},
9335 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_BEFORE_CERT,
9336 OCSPVerifyResult::BAD_PRODUCED_AT,
9337 false,
9338 OCSPRevocationStatus::UNKNOWN},
9339
9340 {{{SpawnedTestServer::SSLOptions::OCSP_OK,
9341 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}},
9342 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_AFTER_CERT,
9343 OCSPVerifyResult::BAD_PRODUCED_AT,
9344 false,
9345 OCSPRevocationStatus::UNKNOWN},
9346
9347 {{{SpawnedTestServer::SSLOptions::OCSP_OK,
9348 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}},
9349 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_AFTER_CERT,
9350 OCSPVerifyResult::BAD_PRODUCED_AT,
9351 false,
9352 OCSPRevocationStatus::UNKNOWN},
9353
9354 {{{SpawnedTestServer::SSLOptions::OCSP_REVOKED,
9355 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}},
9356 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9357 OCSPVerifyResult::PROVIDED,
9358 true,
9359 OCSPRevocationStatus::REVOKED},
9360
9361 {{{SpawnedTestServer::SSLOptions::OCSP_REVOKED,
9362 SpawnedTestServer::SSLOptions::OCSP_DATE_OLD}},
9363 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9364 OCSPVerifyResult::INVALID_DATE,
9365 false,
9366 OCSPRevocationStatus::UNKNOWN},
9367
9368 {{{SpawnedTestServer::SSLOptions::OCSP_REVOKED,
9369 SpawnedTestServer::SSLOptions::OCSP_DATE_LONG}},
9370 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9371 OCSPVerifyResult::INVALID_DATE,
9372 false,
9373 OCSPRevocationStatus::UNKNOWN},
9374
9375 {{{SpawnedTestServer::SSLOptions::OCSP_OK,
9376 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}},
9377 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9378 OCSPVerifyResult::PROVIDED,
9379 true,
9380 OCSPRevocationStatus::GOOD},
9381
9382 {{{SpawnedTestServer::SSLOptions::OCSP_OK,
9383 SpawnedTestServer::SSLOptions::OCSP_DATE_OLD},
9384 {SpawnedTestServer::SSLOptions::OCSP_OK,
9385 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}},
9386 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9387 OCSPVerifyResult::PROVIDED,
9388 true,
9389 OCSPRevocationStatus::GOOD},
9390
9391 {{{SpawnedTestServer::SSLOptions::OCSP_OK,
9392 SpawnedTestServer::SSLOptions::OCSP_DATE_EARLY},
9393 {SpawnedTestServer::SSLOptions::OCSP_OK,
9394 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}},
9395 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9396 OCSPVerifyResult::PROVIDED,
9397 true,
9398 OCSPRevocationStatus::GOOD},
9399
9400 {{{SpawnedTestServer::SSLOptions::OCSP_OK,
9401 SpawnedTestServer::SSLOptions::OCSP_DATE_LONG},
9402 {SpawnedTestServer::SSLOptions::OCSP_OK,
9403 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}},
9404 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9405 OCSPVerifyResult::PROVIDED,
9406 true,
9407 OCSPRevocationStatus::GOOD},
9408
9409 {{{SpawnedTestServer::SSLOptions::OCSP_OK,
9410 SpawnedTestServer::SSLOptions::OCSP_DATE_EARLY},
9411 {SpawnedTestServer::SSLOptions::OCSP_OK,
9412 SpawnedTestServer::SSLOptions::OCSP_DATE_OLD},
9413 {SpawnedTestServer::SSLOptions::OCSP_OK,
9414 SpawnedTestServer::SSLOptions::OCSP_DATE_LONG}},
9415 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9416 OCSPVerifyResult::INVALID_DATE,
9417 false,
9418 OCSPRevocationStatus::UNKNOWN},
9419
9420 {{{SpawnedTestServer::SSLOptions::OCSP_UNKNOWN,
9421 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID},
9422 {SpawnedTestServer::SSLOptions::OCSP_REVOKED,
9423 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID},
9424 {SpawnedTestServer::SSLOptions::OCSP_OK,
9425 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}},
9426 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9427 OCSPVerifyResult::PROVIDED,
9428 true,
9429 OCSPRevocationStatus::REVOKED},
9430
9431 {{{SpawnedTestServer::SSLOptions::OCSP_UNKNOWN,
9432 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID},
9433 {SpawnedTestServer::SSLOptions::OCSP_OK,
9434 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}},
9435 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9436 OCSPVerifyResult::PROVIDED,
9437 true,
9438 OCSPRevocationStatus::UNKNOWN},
9439
9440 {{{SpawnedTestServer::SSLOptions::OCSP_UNKNOWN,
9441 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID},
9442 {SpawnedTestServer::SSLOptions::OCSP_REVOKED,
9443 SpawnedTestServer::SSLOptions::OCSP_DATE_LONG},
9444 {SpawnedTestServer::SSLOptions::OCSP_OK,
9445 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}},
9446 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9447 OCSPVerifyResult::PROVIDED,
9448 true,
9449 OCSPRevocationStatus::UNKNOWN},
9450
9451 {{{SpawnedTestServer::SSLOptions::OCSP_MISMATCHED_SERIAL,
9452 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}},
9453 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9454 OCSPVerifyResult::NO_MATCHING_RESPONSE,
9455 false,
9456 OCSPRevocationStatus::UNKNOWN},
9457
9458 {{{SpawnedTestServer::SSLOptions::OCSP_MISMATCHED_SERIAL,
9459 SpawnedTestServer::SSLOptions::OCSP_DATE_EARLY}},
9460 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID,
9461 OCSPVerifyResult::NO_MATCHING_RESPONSE,
9462 false,
9463 OCSPRevocationStatus::UNKNOWN},
9464
9465 };
9466
9467 class HTTPSOCSPVerifyTest
9468 : public HTTPSOCSPTest,
9469 public testing::WithParamInterface<OCSPVerifyTestData> {
9470 public:
9471 HTTPSOCSPVerifyTest() = default;
9472 virtual ~HTTPSOCSPVerifyTest() {}
9473 };
9474
9475 TEST_P(HTTPSOCSPVerifyTest, VerifyResult) {
9476 SpawnedTestServer::SSLOptions ssl_options(
9477 SpawnedTestServer::SSLOptions::CERT_AUTO);
9478 OCSPVerifyTestData test = GetParam();
9479
9480 ssl_options.ocsp_responses = test.ocsp_responses;
9481 ssl_options.ocsp_produced = test.ocsp_produced;
9482 ssl_options.staple_ocsp_response = true;
9483
9484 SSLInfo ssl_info;
9485 OCSPErrorTestDelegate delegate;
9486 ASSERT_NO_FATAL_FAILURE(DoConnection(ssl_options, &delegate, &ssl_info));
9487
9488 // The SSLInfo must be extracted from |delegate| on error, due to how
9489 // URLRequest caches certificate errors.
9490 if (delegate.have_certificate_errors()) {
9491 ASSERT_TRUE(delegate.on_ssl_certificate_error_called());
9492 ssl_info = delegate.ssl_info();
9493 }
9494
9495 EXPECT_EQ(test.response_status, ssl_info.ocsp.response_status);
9496
9497 if (test.has_cert_status) {
9498 ASSERT_TRUE(ssl_info.ocsp.cert_status);
9499 EXPECT_EQ(test.cert_status, *ssl_info.ocsp.cert_status);
9500 } else {
9501 EXPECT_FALSE(ssl_info.ocsp.cert_status);
9502 }
9503 }
9504
9505 INSTANTIATE_TEST_CASE_P(OCSPVerify,
9506 HTTPSOCSPVerifyTest,
9507 testing::ValuesIn(kOCSPVerifyData));
9508
9202 class HTTPSHardFailTest : public HTTPSOCSPTest { 9509 class HTTPSHardFailTest : public HTTPSOCSPTest {
9203 protected: 9510 protected:
9204 void SetupContext() override { 9511 void SetupContext() override {
9205 context_.set_ssl_config_service(new TestSSLConfigService( 9512 context_.set_ssl_config_service(new TestSSLConfigService(
9206 false /* check for EV */, false /* online revocation checking */, 9513 false /* check for EV */, false /* online revocation checking */,
9207 true /* require rev. checking for local 9514 true /* require rev. checking for local
9208 anchors */, 9515 anchors */,
9209 false /* token binding enabled */)); 9516 false /* token binding enabled */));
9210 } 9517 }
9211 }; 9518 };
9212 9519
9213 TEST_F(HTTPSHardFailTest, FailsOnOCSPInvalid) { 9520 TEST_F(HTTPSHardFailTest, FailsOnOCSPInvalid) {
9214 if (!SystemSupportsOCSP()) { 9521 if (!SystemSupportsOCSP()) {
9215 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; 9522 LOG(WARNING) << "Skipping test because system doesn't support OCSP";
9216 return; 9523 return;
9217 } 9524 }
9218 9525
9219 if (!SystemSupportsHardFailRevocationChecking()) { 9526 if (!SystemSupportsHardFailRevocationChecking()) {
9220 LOG(WARNING) << "Skipping test because system doesn't support hard fail " 9527 LOG(WARNING) << "Skipping test because system doesn't support hard fail "
9221 << "revocation checking"; 9528 << "revocation checking";
9222 return; 9529 return;
9223 } 9530 }
9224 9531
9225 SpawnedTestServer::SSLOptions ssl_options( 9532 SpawnedTestServer::SSLOptions ssl_options(
9226 SpawnedTestServer::SSLOptions::CERT_AUTO); 9533 SpawnedTestServer::SSLOptions::CERT_AUTO);
9227 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; 9534 ssl_options.ocsp_status =
9535 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE;
9228 9536
9229 CertStatus cert_status; 9537 CertStatus cert_status;
9230 DoConnection(ssl_options, &cert_status); 9538 DoConnection(ssl_options, &cert_status);
9231 9539
9232 EXPECT_EQ(CERT_STATUS_REVOKED, 9540 EXPECT_EQ(CERT_STATUS_REVOKED,
9233 cert_status & CERT_STATUS_REVOKED); 9541 cert_status & CERT_STATUS_REVOKED);
9234 9542
9235 // Without a positive OCSP response, we shouldn't show the EV status. 9543 // Without a positive OCSP response, we shouldn't show the EV status.
9236 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); 9544 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
9237 } 9545 }
(...skipping 10 matching lines...) Expand all
9248 }; 9556 };
9249 9557
9250 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndInvalidOCSP) { 9558 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndInvalidOCSP) {
9251 if (!SystemSupportsOCSP()) { 9559 if (!SystemSupportsOCSP()) {
9252 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; 9560 LOG(WARNING) << "Skipping test because system doesn't support OCSP";
9253 return; 9561 return;
9254 } 9562 }
9255 9563
9256 SpawnedTestServer::SSLOptions ssl_options( 9564 SpawnedTestServer::SSLOptions ssl_options(
9257 SpawnedTestServer::SSLOptions::CERT_AUTO); 9565 SpawnedTestServer::SSLOptions::CERT_AUTO);
9258 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; 9566 ssl_options.ocsp_status =
9567 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE;
9259 SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>()); 9568 SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>());
9260 9569
9261 CertStatus cert_status; 9570 CertStatus cert_status;
9262 DoConnection(ssl_options, &cert_status); 9571 DoConnection(ssl_options, &cert_status);
9263 9572
9264 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), 9573 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(),
9265 cert_status & CERT_STATUS_ALL_ERRORS); 9574 cert_status & CERT_STATUS_ALL_ERRORS);
9266 9575
9267 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); 9576 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
9268 EXPECT_EQ(SystemUsesChromiumEVMetadata(), 9577 EXPECT_EQ(SystemUsesChromiumEVMetadata(),
(...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after
9320 } 9629 }
9321 9630
9322 TEST_F(HTTPSEVCRLSetTest, ExpiredCRLSet) { 9631 TEST_F(HTTPSEVCRLSetTest, ExpiredCRLSet) {
9323 if (!SystemSupportsOCSP()) { 9632 if (!SystemSupportsOCSP()) {
9324 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; 9633 LOG(WARNING) << "Skipping test because system doesn't support OCSP";
9325 return; 9634 return;
9326 } 9635 }
9327 9636
9328 SpawnedTestServer::SSLOptions ssl_options( 9637 SpawnedTestServer::SSLOptions ssl_options(
9329 SpawnedTestServer::SSLOptions::CERT_AUTO); 9638 SpawnedTestServer::SSLOptions::CERT_AUTO);
9330 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; 9639 ssl_options.ocsp_status =
9640 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE;
9331 SSLConfigService::SetCRLSet( 9641 SSLConfigService::SetCRLSet(
9332 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); 9642 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting()));
9333 9643
9334 CertStatus cert_status; 9644 CertStatus cert_status;
9335 DoConnection(ssl_options, &cert_status); 9645 DoConnection(ssl_options, &cert_status);
9336 9646
9337 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), 9647 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(),
9338 cert_status & CERT_STATUS_ALL_ERRORS); 9648 cert_status & CERT_STATUS_ALL_ERRORS);
9339 9649
9340 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); 9650 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
9341 EXPECT_EQ(SystemUsesChromiumEVMetadata(), 9651 EXPECT_EQ(SystemUsesChromiumEVMetadata(),
9342 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); 9652 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED));
9343 } 9653 }
9344 9654
9345 TEST_F(HTTPSEVCRLSetTest, FreshCRLSetCovered) { 9655 TEST_F(HTTPSEVCRLSetTest, FreshCRLSetCovered) {
9346 if (!SystemSupportsOCSP()) { 9656 if (!SystemSupportsOCSP()) {
9347 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; 9657 LOG(WARNING) << "Skipping test because system doesn't support OCSP";
9348 return; 9658 return;
9349 } 9659 }
9350 9660
9351 SpawnedTestServer::SSLOptions ssl_options( 9661 SpawnedTestServer::SSLOptions ssl_options(
9352 SpawnedTestServer::SSLOptions::CERT_AUTO); 9662 SpawnedTestServer::SSLOptions::CERT_AUTO);
9353 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; 9663 ssl_options.ocsp_status =
9664 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE;
9354 SSLConfigService::SetCRLSet( 9665 SSLConfigService::SetCRLSet(
9355 scoped_refptr<CRLSet>(CRLSet::ForTesting( 9666 scoped_refptr<CRLSet>(CRLSet::ForTesting(
9356 false, &kOCSPTestCertSPKI, ""))); 9667 false, &kOCSPTestCertSPKI, "")));
9357 9668
9358 CertStatus cert_status; 9669 CertStatus cert_status;
9359 DoConnection(ssl_options, &cert_status); 9670 DoConnection(ssl_options, &cert_status);
9360 9671
9361 // With a fresh CRLSet that covers the issuing certificate, we shouldn't do a 9672 // With a fresh CRLSet that covers the issuing certificate, we shouldn't do a
9362 // revocation check for EV. 9673 // revocation check for EV.
9363 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); 9674 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS);
9364 EXPECT_EQ(SystemUsesChromiumEVMetadata(), 9675 EXPECT_EQ(SystemUsesChromiumEVMetadata(),
9365 static_cast<bool>(cert_status & CERT_STATUS_IS_EV)); 9676 static_cast<bool>(cert_status & CERT_STATUS_IS_EV));
9366 EXPECT_FALSE( 9677 EXPECT_FALSE(
9367 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); 9678 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED));
9368 } 9679 }
9369 9680
9370 TEST_F(HTTPSEVCRLSetTest, FreshCRLSetNotCovered) { 9681 TEST_F(HTTPSEVCRLSetTest, FreshCRLSetNotCovered) {
9371 if (!SystemSupportsOCSP()) { 9682 if (!SystemSupportsOCSP()) {
9372 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; 9683 LOG(WARNING) << "Skipping test because system doesn't support OCSP";
9373 return; 9684 return;
9374 } 9685 }
9375 9686
9376 SpawnedTestServer::SSLOptions ssl_options( 9687 SpawnedTestServer::SSLOptions ssl_options(
9377 SpawnedTestServer::SSLOptions::CERT_AUTO); 9688 SpawnedTestServer::SSLOptions::CERT_AUTO);
9378 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; 9689 ssl_options.ocsp_status =
9690 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE;
9379 SSLConfigService::SetCRLSet( 9691 SSLConfigService::SetCRLSet(
9380 scoped_refptr<CRLSet>(CRLSet::EmptyCRLSetForTesting())); 9692 scoped_refptr<CRLSet>(CRLSet::EmptyCRLSetForTesting()));
9381 9693
9382 CertStatus cert_status = 0; 9694 CertStatus cert_status = 0;
9383 DoConnection(ssl_options, &cert_status); 9695 DoConnection(ssl_options, &cert_status);
9384 9696
9385 // Even with a fresh CRLSet, we should still do online revocation checks when 9697 // Even with a fresh CRLSet, we should still do online revocation checks when
9386 // the certificate chain isn't covered by the CRLSet, which it isn't in this 9698 // the certificate chain isn't covered by the CRLSet, which it isn't in this
9387 // test. 9699 // test.
9388 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), 9700 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(),
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after
9428 false /* check for EV */, false /* online revocation checking */, 9740 false /* check for EV */, false /* online revocation checking */,
9429 false /* require rev. checking for local 9741 false /* require rev. checking for local
9430 anchors */, 9742 anchors */,
9431 false /* token binding enabled */)); 9743 false /* token binding enabled */));
9432 } 9744 }
9433 }; 9745 };
9434 9746
9435 TEST_F(HTTPSCRLSetTest, ExpiredCRLSet) { 9747 TEST_F(HTTPSCRLSetTest, ExpiredCRLSet) {
9436 SpawnedTestServer::SSLOptions ssl_options( 9748 SpawnedTestServer::SSLOptions ssl_options(
9437 SpawnedTestServer::SSLOptions::CERT_AUTO); 9749 SpawnedTestServer::SSLOptions::CERT_AUTO);
9438 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; 9750 ssl_options.ocsp_status =
9751 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE;
9439 SSLConfigService::SetCRLSet( 9752 SSLConfigService::SetCRLSet(
9440 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); 9753 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting()));
9441 9754
9442 CertStatus cert_status; 9755 CertStatus cert_status;
9443 DoConnection(ssl_options, &cert_status); 9756 DoConnection(ssl_options, &cert_status);
9444 9757
9445 // If we're not trying EV verification then, even if the CRLSet has expired, 9758 // If we're not trying EV verification then, even if the CRLSet has expired,
9446 // we don't fall back to online revocation checks. 9759 // we don't fall back to online revocation checks.
9447 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); 9760 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS);
9448 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); 9761 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
(...skipping 394 matching lines...) Expand 10 before | Expand all | Expand 10 after
9843 AddTestInterceptor()->set_main_intercept_job(std::move(job)); 10156 AddTestInterceptor()->set_main_intercept_job(std::move(job));
9844 10157
9845 req->Start(); 10158 req->Start();
9846 req->Cancel(); 10159 req->Cancel();
9847 base::RunLoop().RunUntilIdle(); 10160 base::RunLoop().RunUntilIdle();
9848 EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status()); 10161 EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status());
9849 EXPECT_EQ(0, d.received_redirect_count()); 10162 EXPECT_EQ(0, d.received_redirect_count());
9850 } 10163 }
9851 10164
9852 } // namespace net 10165 } // namespace net
OLDNEW
« net/cert/ocsp_verify_result.h ('K') | « net/tools/testserver/testserver.py ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698